Microsoft admits critical flaw in nearly all Windows software

TED BRIDISAP Technology Writer

Published Thursday, July 17, 2003

WASHINGTON -- Microsoft Corp. acknowledged a critical vulnerability Wednesday in nearly all versions of its flagship Windows operating system software, the first such design flaw to affect its latest Windows Server 2003 software.

Microsoft said the vulnerability could allow hackers to seize control of a victim's Windows computer over the Internet, stealing data, deleting files or eavesdropping on e-mails. The company urged customers to immediately apply a free software repairing patch available from Microsoft's Web site.

The disclosure was unusually embarrassing for Microsoft because it demonstrated the first such serious flaw in the company's powerful new computer server software, billed as its safest ever.

The software is aimed at large corporate customers and was the first product sold under a high-profile "Trustworthy Computing" initiative organized last year by Microsoft founder Bill Gates.

At the product's launch in late April, Microsoft Chief Executive Steve Ballmer declared the new version of Windows to be a "breakthrough in terms of what it means, in terms of its built-in security and reliability."

The flaw, discovered by researchers in western Poland, also affected Windows versions popular among home users.

"This is one of the worst Windows vulnerabilities ever," said Marc Maiffret, an executive at eEye Digital Security Inc. of Aliso Viejo, Calif., whose researchers discovered similarly dangerous flaws in at least three earlier versions of Windows.

Microsoft said corporate firewalls commonly block the type of data connections that hackers outside a company would need for these attacks. The flaw affects Windows technology used to share data files across computer networks.

Maiffret said that inside vulnerable corporations, "until they have this patch installed, it will be Swiss cheese -- anybody can walk in and out of their servers."

Microsoft spent hundreds of millions of dollars on security improvements for its latest Windows software and included new technology to defend against a category of hacker attacks known as "buffer overflows," which can trick software into accepting dangerous commands.

But four Polish researchers said they discovered how to bypass the additional protections Microsoft added, just three months after the software went on sale.